Stuck on a SIP trunk registration issue that appeared after the latest maintenance window. The trunk uses TLS and SRTP, configured via the Admin portal. Registration attempts from the CPE device are failing with a 403 Forbidden response from the Genesys Cloud SIP proxy. The timestamp on the 403 response matches the current GMT time, so clock skew is unlikely.
The CPE is running firmware v4.2.1 and the certificate chain has been verified using OpenSSL. The private key matches the certificate exactly. I have regenerated the credentials in the Genesys Cloud Admin console under Telephony > Trunks, but the error persists.
Here is the relevant configuration snippet from the CPE:
sip_trunk:
transport: tls
port: 5061
auth_method: digest
username: "trunk_user_01"
realm: "genesyscloud.com"
proxy_host: "sip.genesyscloud.com"
tls_cert: "/etc/ssl/certs/client.pem"
tls_key: "/etc/ssl/private/client.key"
The Genesys Cloud PSTN integration logs show the request reaching the edge but being rejected before the digest challenge is issued. This suggests a pre-authentication failure, possibly related to the certificate SAN or the IP allow-listing. The CPE IP is whitelisted in the Genesys Cloud firewall settings.
Has anyone seen this specific 403 behavior with TLS trunks recently? Is there a hidden requirement for the certificate issuer or key length that is not documented in the standard integration guide? The logs do not provide a detailed reason phrase beyond Forbidden.